Enforce StreamReadConstraints.maxNumberLength for non-blocking (async) parser (#1555)

Author: pjfanning

release-notes/VERSION-2.x

@@ -20,6 +20,9 @@ a pure JSON library.
  (reported by @ventusfortis)
 #1548: `StreamReadConstraints.maxDocumentLength` not checked when
   creating parser with fixed buffer
+#1555: Enforce `StreamReadConstraints.maxNumberLength` for
+  non-blocking (async) parser
+ (fix by @pjfanning)
 
 2.18.5 (27-Oct-2025)
  (same as 2.18.4.1 on 10-June-2025)

src/main/java/com/fasterxml/jackson/core/json/async/NonBlockingUtf8JsonParserBase.java

@@ -2,6 +2,7 @@
 
 import com.fasterxml.jackson.core.JsonParseException;
 import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.core.exc.StreamConstraintsException;
 import com.fasterxml.jackson.core.io.CharTypes;
 import com.fasterxml.jackson.core.io.IOContext;
 import com.fasterxml.jackson.core.json.JsonReadFeature;
@@ -363,7 +364,7 @@ protected final JsonToken _finishTokenWithEOF() throws IOException
                 if (_numberNegative) {
                     --len;
                 }
-                _intLength = len;
+                _setIntLength(len);
             }
             return _valueComplete(JsonToken.VALUE_NUMBER_INT);
 
@@ -1300,15 +1301,15 @@ protected JsonToken _startPositiveNumber(int ch) throws IOException
         while (true) {
             if (ch < INT_0) {
                 if (ch == INT_PERIOD) {
-                    _intLength = outPtr;
+                    _setIntLength(outPtr);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
                 break;
             }
             if (ch > INT_9) {
                 if ((ch | 0x20) == INT_e) { // ~ 'eE'
-                    _intLength = outPtr;
+                    _setIntLength(outPtr);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
@@ -1327,7 +1328,7 @@ protected JsonToken _startPositiveNumber(int ch) throws IOException
             }
             ch = getByteFromBuffer(_inputPtr) & 0xFF;
         }
-        _intLength = outPtr;
+        _setIntLength(outPtr);
         _textBuffer.setCurrentLength(outPtr);
         return _valueComplete(JsonToken.VALUE_NUMBER_INT);
     }
@@ -1367,15 +1368,15 @@ protected JsonToken _startNegativeNumber() throws IOException
         while (true) {
             if (ch < INT_0) {
                 if (ch == INT_PERIOD) {
-                    _intLength = outPtr-1;
+                    _setIntLength(outPtr-1);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
                 break;
             }
             if (ch > INT_9) {
                 if ((ch | 0x20) == INT_e) { // ~ 'eE'
-                    _intLength = outPtr-1;
+                    _setIntLength(outPtr-1);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
@@ -1393,7 +1394,7 @@ protected JsonToken _startNegativeNumber() throws IOException
             }
             ch = getByteFromBuffer(_inputPtr) & 0xFF;
         }
-        _intLength = outPtr-1;
+        _setIntLength(outPtr-1);
         _textBuffer.setCurrentLength(outPtr);
         return _valueComplete(JsonToken.VALUE_NUMBER_INT);
     }
@@ -1439,15 +1440,15 @@ protected JsonToken _startPositiveNumber() throws IOException
         while (true) {
             if (ch < INT_0) {
                 if (ch == INT_PERIOD) {
-                    _intLength = outPtr-1;
+                    _setIntLength(outPtr-1);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
                 break;
             }
             if (ch > INT_9) {
                 if ((ch | 0x20) == INT_e) { // ~ 'eE'
-                    _intLength = outPtr-1;
+                    _setIntLength(outPtr-1);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
@@ -1465,7 +1466,7 @@ protected JsonToken _startPositiveNumber() throws IOException
             }
             ch = getByteFromBuffer(_inputPtr) & 0xFF;
         }
-        _intLength = outPtr-1;
+        _setIntLength(outPtr-1);
         _textBuffer.setCurrentLength(outPtr);
         return _valueComplete(JsonToken.VALUE_NUMBER_INT);
     }
@@ -1697,15 +1698,15 @@ protected JsonToken _finishNumberIntegralPart(char[] outBuf, int outPtr) throws
             int ch = getByteFromBuffer(_inputPtr) & 0xFF;
             if (ch < INT_0) {
                 if (ch == INT_PERIOD) {
-                    _intLength = outPtr+negMod;
+                    _setIntLength(outPtr+negMod);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
                 break;
             }
             if (ch > INT_9) {
                 if ((ch | 0x20) == INT_e) { // ~ 'eE'
-                    _intLength = outPtr+negMod;
+                    _setIntLength(outPtr+negMod);
                     ++_inputPtr;
                     return _startFloat(outBuf, outPtr, ch);
                 }
@@ -1719,7 +1720,7 @@ protected JsonToken _finishNumberIntegralPart(char[] outBuf, int outPtr) throws
             }
             outBuf[outPtr++] = (char) ch;
         }
-        _intLength = outPtr+negMod;
+        _setIntLength(outPtr+negMod);
         _textBuffer.setCurrentLength(outPtr);
         return _valueComplete(JsonToken.VALUE_NUMBER_INT);
     }
@@ -1736,7 +1737,7 @@ protected JsonToken _startFloat(char[] outBuf, int outPtr, int ch) throws IOExce
                 if (_inputPtr >= _inputEnd) {
                     _textBuffer.setCurrentLength(outPtr);
                     _minorState = MINOR_NUMBER_FRACTION_DIGITS;
-                    _fractLength = fractLen;
+                    _setFractLength(fractLen);
                     return _updateTokenToNA();
                 }
                 ch = getNextSignedByteFromBuffer(); // ok to have sign extension for now
@@ -1757,7 +1758,7 @@ protected JsonToken _startFloat(char[] outBuf, int outPtr, int ch) throws IOExce
                 ++fractLen;
             }
         }
-        _fractLength = fractLen;
+        _setFractLength(fractLen);
         int expLen = 0;
         if ((ch | 0x20) == INT_e) { // ~ 'eE' exponent?
             if (outPtr >= outBuf.length) {
@@ -1793,7 +1794,7 @@ protected JsonToken _startFloat(char[] outBuf, int outPtr, int ch) throws IOExce
                 if (_inputPtr >= _inputEnd) {
                     _textBuffer.setCurrentLength(outPtr);
                     _minorState = MINOR_NUMBER_EXPONENT_DIGITS;
-                    _expLength = expLen;
+                    _setExpLength(expLen);
                     return _updateTokenToNA();
                 }
                 ch = getNextSignedByteFromBuffer();
@@ -1808,7 +1809,7 @@ protected JsonToken _startFloat(char[] outBuf, int outPtr, int ch) throws IOExce
         --_inputPtr;
         _textBuffer.setCurrentLength(outPtr);
         // negative, int-length, fract-length already set, so...
-        _expLength = expLen;
+        _setExpLength(expLen);
         return _valueComplete(JsonToken.VALUE_NUMBER_FLOAT);
     }
 
@@ -1830,7 +1831,7 @@ protected JsonToken _finishFloatFraction() throws IOException
                 outBuf[outPtr++] = (char) ch;
                 if (_inputPtr >= _inputEnd) {
                     _textBuffer.setCurrentLength(outPtr);
-                    _fractLength = fractLen;
+                    _setFractLength(fractLen);
                     return JsonToken.NOT_AVAILABLE;
                 }
                 ch = getNextSignedByteFromBuffer();
@@ -1850,7 +1851,7 @@ protected JsonToken _finishFloatFraction() throws IOException
                 _reportUnexpectedNumberChar(ch, "Decimal point not followed by a digit");
             }
         }
-        _fractLength = fractLen;
+        _setFractLength(fractLen);
         _textBuffer.setCurrentLength(outPtr);
 
         // Ok: end of floating point number or exponent?
@@ -1900,7 +1901,7 @@ protected JsonToken _finishFloatExponent(boolean checkSign, int ch) throws IOExc
             outBuf[outPtr++] = (char) ch;
             if (_inputPtr >= _inputEnd) {
                 _textBuffer.setCurrentLength(outPtr);
-                _expLength = expLen;
+                _setExpLength(expLen);
                 return JsonToken.NOT_AVAILABLE;
             }
             ch = getNextSignedByteFromBuffer();
@@ -1914,7 +1915,7 @@ protected JsonToken _finishFloatExponent(boolean checkSign, int ch) throws IOExc
         --_inputPtr;
         _textBuffer.setCurrentLength(outPtr);
         // negative, int-length, fract-length already set, so...
-        _expLength = expLen;
+        _setExpLength(expLen);
         return _valueComplete(JsonToken.VALUE_NUMBER_FLOAT);
     }
 
@@ -2998,4 +2999,21 @@ private final int _decodeUTF8_4(int c, int d, int e, int f) throws IOException
     /* Internal methods, other
     /**********************************************************************
      */
+
+    private void _setIntLength(final int len) throws StreamConstraintsException {
+        _streamReadConstraints.validateIntegerLength(len);
+        _intLength = len;
+    }
+
+    private void _setFractLength(final int len) throws StreamConstraintsException {
+        // assumes that the _intLength has been updated first
+        _streamReadConstraints.validateFPLength(_intLength + len);
+        _fractLength = len;
+    }
+
+    private void _setExpLength(final int len) throws StreamConstraintsException {
+        // assumes that the _intLength and _fractLength have been updated already
+        _streamReadConstraints.validateFPLength(_intLength + _fractLength + len);
+        _expLength = len;
+    }
 }

src/test/java/com/fasterxml/jackson/core/constraints/AsyncLargeNumberReadTest.java

@@ -0,0 +1,107 @@
+package com.fasterxml.jackson.core.constraints;
+
+import com.fasterxml.jackson.core.async.ByteArrayFeeder;
+import org.junit.jupiter.api.Test;
+
+import com.fasterxml.jackson.core.*;
+import com.fasterxml.jackson.core.exc.StreamConstraintsException;
+import com.fasterxml.jackson.core.JsonFactory;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
+ */
+class AsyncLargeNumberReadTest
+    extends com.fasterxml.jackson.core.JUnit5TestBase
+{
+    private static final int TEST_NUMBER_LENGTH = StreamReadConstraints.DEFAULT_MAX_NUM_LEN * 2;
+
+    private final JsonFactory JSON_F = newStreamFactory();
+
+    @Test
+    void asyncParserFailsTooLongInt() throws Exception {
+        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
+
+        try (JsonParser p = JSON_F.createNonBlockingByteArrayParser()) {
+            ByteArrayFeeder byteArrayFeeder = (ByteArrayFeeder) p;
+            byteArrayFeeder.feedInput(payload, 0, payload.length);
+            byteArrayFeeder.endOfInput();
+    
+            _asyncParserFailsTooLongNumber(p, JsonToken.VALUE_NUMBER_INT);
+        }
+    }
+
+    @Test
+    void asyncParserFailsTooLongDecimal() throws Exception {
+        byte[] payload = buildPayloadWithLongDecimal(TEST_NUMBER_LENGTH);
+
+        try (JsonParser p = JSON_F.createNonBlockingByteArrayParser()) {
+            ByteArrayFeeder byteArrayFeeder = (ByteArrayFeeder) p;
+            byteArrayFeeder.feedInput(payload, 0, payload.length);
+            byteArrayFeeder.endOfInput();
+
+            _asyncParserFailsTooLongNumber(p, JsonToken.VALUE_NUMBER_FLOAT);
+        }
+    }
+
+    @Test
+    void asyncParserFailsTooLongDecimalWithExponent() throws Exception {
+        byte[] payload = buildPayloadWithLongExponent(TEST_NUMBER_LENGTH);
+
+        try (JsonParser p = JSON_F.createNonBlockingByteArrayParser()) {
+            ByteArrayFeeder byteArrayFeeder = (ByteArrayFeeder) p;
+            byteArrayFeeder.feedInput(payload, 0, payload.length);
+            byteArrayFeeder.endOfInput();
+
+            _asyncParserFailsTooLongNumber(p, JsonToken.VALUE_NUMBER_FLOAT);
+        }
+    }
+    
+    private void _asyncParserFailsTooLongNumber(JsonParser p, JsonToken tokenMatch) throws Exception {
+        boolean foundNumber = false;
+        try {
+            while (p.nextToken() != null) {
+                if (p.currentToken() == tokenMatch) {
+                    foundNumber = true;
+                    String numberText = p.getText();
+                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
+                            "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
+                }
+            }
+            fail("Async parser must reject a " + TEST_NUMBER_LENGTH + "-digit number (number found? "+foundNumber+")");
+        } catch (StreamConstraintsException e) {
+            verifyException(e, "Number value length (");
+            verifyException(e, " exceeds the maximum allowed");
+        }
+    }
+
+    private byte[] buildPayloadWithLongInteger(int numDigits) {
+        StringBuilder sb = new StringBuilder(numDigits + 10);
+        sb.append("{\"v\":");
+        for (int i = 0; i < numDigits; i++) {
+            sb.append((char) ('1' + (i % 9)));
+        }
+        sb.append('}');
+        return utf8Bytes(sb.toString());
+    }
+
+    private byte[] buildPayloadWithLongDecimal(int numDigits) {
+        StringBuilder sb = new StringBuilder(numDigits + 10);
+        sb.append("{\"v\":0.");
+        for (int i = 0; i < numDigits; i++) {
+            sb.append((char) ('1' + (i % 9)));
+        }
+        sb.append('}');
+        return utf8Bytes(sb.toString());
+    }
+
+    private byte[] buildPayloadWithLongExponent(int numDigits) {
+        StringBuilder sb = new StringBuilder(numDigits + 10);
+        sb.append("{\"v\":1.1E");
+        for (int i = 0; i < numDigits; i++) {
+            sb.append((char) ('1' + (i % 9)));
+        }
+        return utf8Bytes(sb.toString());
+    }
+}

src/test/java/com/fasterxml/jackson/core/constraints/LargeNumberReadTest.java

@@ -14,7 +14,6 @@
  * Set of basic unit tests for verifying that "too big" number constraints
  * are caught by various JSON parser backends.
  */
-
 @SuppressWarnings("resource")
 class LargeNumberReadTest
         extends com.fasterxml.jackson.core.JUnit5TestBase